[keycloak-user] keycloak-js: token in cookie
Massimo Redaelli
massimo.redaelli at celsiuspro.com
Thu Jan 10 10:08:07 EST 2019
I read here:
http://lists.jboss.org/pipermail/keycloak-user/2014-December/001389.html
that (if I understood correctly) at the time the javascript adapter didn't support returning the token in a cookie rather than in the response body.
Is that still the case?
I'm writing a SPA and I'm faced with the problem of where to store the token. Most tutorials just put it in local storage, or in a variable in memory, but I read around that it's very susceptible to XSS attacks, while using a secure, httponly cookie is much safer.
What would you recommend?
Thanks
M.
More information about the keycloak-user
mailing list